Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Remove in bulk direct assigned license to users who have group assigned license with Azure AD PowerShell v1
<#
Modified version of the script from Microsoft Documentation.
Removed the part that checks if the users is assigned more products than the group assigned license.
Added connection part and help to find Sku and Group Object ID.
This script requires Azure AD (aks MSOL) PowerShell v1. It doesn't seem possible to do so with v2.
Ref: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-ps-examples
#>
Import-Module MSOnline
$UserCredential = Get-Credential
Connect-MsolService -Credential $UserCredential
#Get License Sku for the tenant
Get-MsolAccountSku
#license to be removed
$skuId = "Contoso:STANDARDPACK"
#add here the group with license assignment to be processed
$LicensedGroup = "Licensed_Group"
#Get the group Object ID
$groupId = (Get-MsolGroup -SearchString $LicensedGroup).ObjectId
#Helper functions used by the script
#Returns TRUE if the user has the license assigned directly
function UserHasLicenseAssignedDirectly
{
Param([Microsoft.Online.Administration.User]$user, [string]$skuId)
$license = GetUserLicense $user $skuId
if ($license -ne $null)
{
#GroupsAssigningLicense contains a collection of IDs of objects assigning the license
#This could be a group object or a user object (contrary to what the name suggests)
#If the collection is empty, this means the license is assigned directly - this is the case for users who have never been licensed via groups in the past
if ($license.GroupsAssigningLicense.Count -eq 0)
{
return $true
}
#If the collection contains the ID of the user object, this means the license is assigned directly
#Note: the license may also be assigned through one or more groups in addition to being assigned directly
foreach ($assignmentSource in $license.GroupsAssigningLicense)
{
if ($assignmentSource -ieq $user.ObjectId)
{
return $true
}
}
return $false
}
return $false
}
#Returns TRUE if the user is inheriting the license from a specific group
function UserHasLicenseAssignedFromThisGroup
{
Param([Microsoft.Online.Administration.User]$user, [string]$skuId, [Guid]$groupId)
$license = GetUserLicense $user $skuId
if ($license -ne $null)
{
#GroupsAssigningLicense contains a collection of IDs of objects assigning the license
#This could be a group object or a user object (contrary to what the name suggests)
foreach ($assignmentSource in $license.GroupsAssigningLicense)
{
#If the collection contains at least one ID not matching the user ID this means that the license is inherited from a group.
#Note: the license may also be assigned directly in addition to being inherited
if ($assignmentSource -ieq $groupId)
{
return $true
}
}
return $false
}
return $false
}
#Returns the license object corresponding to the skuId. Returns NULL if not found
function GetUserLicense
{
Param([Microsoft.Online.Administration.User]$user, [string]$skuId, [Guid]$groupId)
#we look for the specific license SKU in all licenses assigned to the user
foreach($license in $user.Licenses)
{
if ($license.AccountSkuId -ieq $skuId)
{
return $license
}
}
return $null
}
#process staging removal for only 20 members in the group first
Get-MsolGroupMember -MaxResults 20 -GroupObjectId $groupId |
#get full info about each user in the group
Get-MsolUser -ObjectId {$_.ObjectId} |
Foreach {
$user = $_;
$operationResult = "";
#check if Direct license exists on the user
if (UserHasLicenseAssignedDirectly $user $skuId)
{
#check if the license is assigned from this group, as expected
if (UserHasLicenseAssignedFromThisGroup $user $skuId $groupId)
{
#remove the direct license from user
Set-MsolUserLicense -ObjectId $user.ObjectId -RemoveLicenses $skuId
$operationResult = "Removed direct license from user."
}
else
{
$operationResult = "User does not inherit this license from this group. License removal was skipped."
}
}
else
{
$operationResult = "User has no direct license to remove. Skipping."
}
#format output
New-Object Object |
Add-Member -NotePropertyName UserId -NotePropertyValue $user.ObjectId -PassThru |
Add-Member -NotePropertyName OperationResult -NotePropertyValue $operationResult -PassThru
} | Format-Table
<#You can then process all members in the group if the result of staging is OK
Get-MsolGroupMember -All -GroupObjectId $groupId |
#get full info about each user in the group
Get-MsolUser -ObjectId {$_.ObjectId} |
Foreach {
$user = $_;
$operationResult = "";
#check if Direct license exists on the user
if (UserHasLicenseAssignedDirectly $user $skuId)
{
#check if the license is assigned from this group, as expected
if (UserHasLicenseAssignedFromThisGroup $user $skuId $groupId)
{
#remove the direct license from user
Set-MsolUserLicense -ObjectId $user.ObjectId -RemoveLicenses $skuId
$operationResult = "Removed direct license from user."
}
else
{
$operationResult = "User does not inherit this license from this group. License removal was skipped."
}
}
else
{
$operationResult = "User has no direct license to remove. Skipping."
}
#format output
New-Object Object |
Add-Member -NotePropertyName UserId -NotePropertyValue $user.ObjectId -PassThru |
Add-Member -NotePropertyName OperationResult -NotePropertyValue $operationResult -PassThru
} | Format-Table
#>
@filoprinceau

This comment has been minimized.

Copy link

filoprinceau commented Nov 26, 2018

Run the script, but it didnt remove the license. Result just says User has no direct license to remove. skipping.
although the users have direct license assigned. Any idea?

@neil-sabol

This comment has been minimized.

Copy link

neil-sabol commented Jul 11, 2019

Awesome script - many thanks for sharing! This will save A LOT of time on cleanup after migrating 80,000+ users from direct to group based licensing. Thanks again!

@lightupdifire

This comment has been minimized.

Copy link

lightupdifire commented Jul 31, 2019

Script worked well, thanks for share!

@mwebbcg

This comment has been minimized.

Copy link

mwebbcg commented Aug 19, 2019

Script works great, Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.